Category Archives: Electronic Health Records

OCR wins $4.3 million HIPAA Victory against MD Anderson

On June 18, 2018, the the Office for Civil Rights (OCR) posted a press release announcing its summary judgment victory against the University of Texas MD Anderson Cancer Center (MD Anderson) – a ruling that will require MD Anderson to pay $4,348,000 in civil money penalties to OCR.   According to the press release, this is only the second HIPAA summary judgment victory in OCR’s history and the $4.3 million is the fourth largest amount ever awarded to OCR for HIPAA violations.

The June 1, 2018 Administrative Law Judge’s decision ultimately hinged on a stolen unencrypted laptop and several lost unencrypted USB thumb drives containing “identifying information such as patient names, addresses, and Social Security numbers; and clinical information such as diagnoses, assessments, prognoses, and treatment regimes” of a total of 33,500 individuals.  Decision at 2.

The hefty fine was based on the fact MD Anderson knew encryption was an essential risk management tool since 2006 yet did not get around to fully deploying encrypted devices until after the losses in question.  According to the ALJ, MD Anderson before then made only “half-hearted and incomplete efforts at encryption”.  Decision at 5.

According to the ALJ:

The question is whether Respondent took the necessary steps to address the risk that it had identified – the potential for data loss due to the storage of ePHI on unencrypted devices. As I have explained, the failure to address that risk is the sum and substance ofRespondent’s noncompliance. Had it done so, then unauthorized acts by Respondent’s employees might be relevant to the issue of compliance. But, failure by Respondent to take the security measures that it had identified as necessary renders irrelevant the issue of whether employees were playing by the rules, because that failure created a risk whether or not Respondent’s employees did so.

Decision at 14 (emphasis in original).

This latest OCR action may very well be appealed given the jurisdictional arguments made by MD Anderson.  No matter what the final appellate result, however, the ruling should slam the lid on any covered entity ever questioning again whether encryption is worth the cost of deployment.     Whether it is from a state enforcement action or OCR settlements based on vendor negligence, laptops stolen from a car, or a USB thumb drive improperly taken from an IT department, when it comes to encryption an ounce of prevention is definitely worth at least a pound of cure.

WannaCry provides a wakeup call for more training on email exploits

On May 12, 2017, WannaCry ransomware infections reportedly took hold of 200,000 computer systems in 150 countries.  The rise of ransomware has been a function of how cheap financial data has become to obtain on the dark web and the desire of criminals to branch out with other sources of income.

Ransomware is quite effective given it purposefully seeks to panic victims into clicking additional links thereby causing a user’s system to become infected with more pernicious malware.  For example, after seeing a screen blink on and off several times ransomware victims may next see the following message on their screen:  “Your computer has been infected with a virus. Click here to resolve the issue.”  Clicking on that link, however, will download additional malware to the system – thereby precluding possible quick fixes to the initial exploit.  It is such additional malware – coupled with very vulnerable legacy systems and procedures, that likely helped WannaCry promulgate so quickly.

Given slow patching and continued widespread use of legacy Windows products, Microsoft sought to slow the spread of WannaCry by offering free patches for its older Windows systems such as Windows XP.  Although helpful in curtailing replication, timely patching will not completely stem this threat.   Newer exploits such as WannaCry likely exist – and will continue to exist for some time, given the underlying code was reportedly created by the National Security Agency and is only a small sample of the “treasure trove” of spying tools released by WikiLeaks in March.  In fact, the WikiLeaks released material includes the source code used to evade anti-virus detection so entry-level hackers apparently now have the ability to immediately up their game.

Given that healthcare data is now considered the most valuable data by thieves, it is no surprise that the healthcare industry was especially hit hard by the WannaCry ransomware exploit.  Succumbing to WannaCry, Britain’s hospital network canceled or delayed treatments for thousands of patients.   In an effort to stem the tide in the US, HHS quickly offered covered entities access to loss prevention resources – including a link to its ransomware fact sheet and a link to the US-CERT response to WannaCry.  US-CERT offered last year helpful tips regarding ransomware loss mitigation techniques.

It is suggested that covered entities take to heart HHS’s desire to warn regarding ransomware exploits.  Given that OCR recently fined a covered entity $2.4 million simply for placing the name of a patient on a press release, ignoring HHS warnings regarding ransomware will likely result in significant penalties to HIPAA covered entities should they fall prey to such an exploit.

In addition to security procedures and implementations – such as whitelisting acceptable programs, aggresive email settings, and limiting user permissions, proper training remains the best antidote to both an exploit as well as an OCR or some other regulatory fine if an exploit ultimately succeeds.  And, the best training remains having users react to a continuous barrage of decoy exploits aimed at sharpening their skills.

Today’s phishing exploits that are being used to transmit ransomware often rely on some other person’s scraped contact information so that they can appear to come from known associates of the user.  These exploits may also use content that appear relevant to the user – such as a bar association communication.    And, finally the links themselves are masked so that it is not even possible to accurately determine where a link takes the user.   Given these indicia of authenticity, users often click on the embedded link rather than hit the delete button.  After exposure to numerous training exploits users are in a much better position to make sound decisions on how to treat actual exploits.  During the course of security training, it is suggested that some form of reward be given to those users who score the highest on the phishing training exercises – any money spent today to build an effective training program will pay significant dividends down the road.

OCR’s April settlements reinforce HIPAA priorities

On March 24, 2017, the Office for Civil Rights (OCR) announced the first settlement and corrective action plan involving a wireless health services provider when it announced a $2.5 million settlement with CardioNet –  a provider of “remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.”   According to the Resolution Agreement and Corrective Action Plan, CardioNet sustained breaches of unsecured electronic protected health information (ePHI) resulting from lost laptops.  And, given that the lost laptops in question were unencrypted, CardioNet’s Corrective Action Plan required that CardioNet provide HHS with a certification that “all laptops, flashdrives, SD cards, and other portable media devices are encrypted, together with a description of the encryption methods used.”

In keeping with OCR’s apparent practice of announcing resolutions in groups – with a distinctive lesson to be made with each resolution, there was another settlement announced on April 20, 2017.  This time a fine of $31,000 was levied against the Center for Children’s Digestive Health (“CCDH”) after it could not produce a business associate agreement.  According to the negotiated Resolution Agreement and Corrective Action Plan, protected health information (PHI) was released to a third-party vendor who stored inactive paper medical records for patients of CCDH without satisfactory assurances in the form of a written business associate agreement that the vendor would appropriately safeguard the PHI in the vendor’s possession or control.  As done in the past when it came to the need for properly-worded business associate agreements, OCR made the point that business associate agreements are a necessary component of the HIPAA framework and the failure to have one when necessary would be a costly error.  See 45 C.F.R § 164.502(e).

And finally, on April 12, 2017, OCR announced a settlement and corrective action plan based on a covered entity’s failure to have an adequate risk management plan in place.  Specifically, on January 27, 2012, Metro Community Provider Network (“MCPN”), a federally-qualified health center filed a breach report with OCR indicating that a hacker accessed employees’ email accounts and obtained 3,200 individuals’ ePHI through a phishing incident.

OCR’s investigation revealed that MCPN took necessary corrective action related to the phishing incident; however, the investigation also revealed that MCPN failed to conduct a risk analysis until mid-February 2012. Prior to the breach incident, MCPN had not conducted a risk analysis to assess the risks and vulnerabilities in its ePHI environment, and, consequently, had not implemented any corresponding risk management plans to address the risks and vulnerabilities identified in a risk analysis. When MCPN finally conducted a risk analysis, that risk analysis, as well as all subsequent risk analyses, were insufficient to meet the requirements of the Security Rule.

Despite being a non-profit that provides primary medical care, dental care, pharmacies, social work, and behavioral care services “to approximately 43,000 patients per year, a large majority of who have incomes at or below the poverty level”, MCPN was hit with a $400,000 fine for its lack of an adequate risk management plan.

To sum up, this most recent grouping of OCR settlements highlights yet again the need for encryption, business associate agreements, and a working risk management plan.  Given that OCR settlements often take years to mature, investigative costs and legal expenses should also be factored into the mix when weighing the benefits of initial compliance.   With this latest round of settlements, it, however, appears clearer and clearer that an ounce of prevention is worth a pound of cure.

Horizon settles state HIPAA claims based on lost laptops

On February 15, 2017, Horizon Healthcare Services, Inc. (“Horizon”) agreed to pay New Jersey authorities $1.1 million to resolve alleged HIPAA Privacy and Security Rule violations based on the November 2013 theft of two unencrypted laptops.  The stolen laptops compromised the privacy of 687,838 New Jersey policyholders.  This settlement comes on the heels of the Third Circuit reversing the dismissal of a putative class action filed against Horizon based on the same laptop incident.

After acknowledging that vendor moving company employees may have stolen the laptops, the Complaint recounts numerous alleged HIPAA violations.   Complaint ¶ 17, 43.  Horizon ultimately agreed by way of its consent judgment to a corrective action plan (“CAP”) and third-party audit – with $150,000 of the consent judgment as a “suspended penalty” that would be automatically vacated if the CAP was in material compliance two-years after entry of the judgment.

This costly Horizon incident provides several takeaways that never get old – encrypt all laptops and use an IT asset management plan that ensures the IT team can track all laptops with network access.   Most importantly, unlike Horizon never make any exceptions.  Complaint ¶ 23 (“As a result of the procurement of the MacBooks outside of Horizon BCBSNJ’s established process, certain MacBooks were not configured with approved encryption, data deletion and other software required by corporate policy.”).

OCR’s latest expensive HIPAA lessons

On January 18, 2017, the Office for Civil Rights (OCR) announced a HIPAA settlement based on the disclosure of unsecured electronic protected health information (ePHI) by MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) stored in a USB storage device.    Simply put, a thumb drive stolen in 2011 from MAPFRE’s IT department cost it an astounding $2.2 million as a “resolution amount” in addition to a fairly onerous corrective action plan.

Apparently, the fact that MAPFRE is the U.S. subsidiary of a large “global multinational insurance company headquartered in Spain” played some role in the harsh fine.  The USB data storage device included complete names, dates of birth and Social Security numbers and impacted 2,209 individuals.   Given that MAPFRE’s lack of encryption was an adverse mitigating factor for OCR, covered entities should bite the bullet and continue to encrypt all devices touching ePHI no matter what the budget constraints.

Another recent HIPAA settlement allowed OCR to shine a light on something else of concern to HHS, namely the need to report breaches within the 60-day reporting window applicable to breaches impacting 500 or more patients.  On January 9, 2017, OCR issued a press release that says it all:  “First HIPAA enforcement action for lack of timely breach notification settles for $475,000”.  Rather than report within 60 days, Presence Health – a large health care network serving Illinois, took 104 days to report the loss of “paper-based operating room schedules, which contained the PHI of 836 individuals.”  A spokesman from Presence Health said in a statement that contact and financial information were not even compromised.

As done in the past when it came to the need for properly-worded business associate agreements, undergoing a comprehensive risk analysis, and cooperating in investigations, covered entities should be appreciate the examples made of MAPFRE and Presence Health – encrypt and timely report after a breach.

OCR focuses on HIPAA business associate agreements with $750,000 settlement

On April 20, 2016, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that provider group Raleigh Orthopaedic Clinic, P.A. of North Carolina (“Raleigh Orthopaedic”) agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule “by handing over protected health information (“PHI”) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.”

OCR initiated its investigation of Raleigh Orthopaedic following receipt of a “breach report” on April 30, 2013.  OCR’s investigation indicated that Raleigh Orthopaedic released x-ray films and related protected health information of 17,300 patients to an entity contracted to transfer the x-ray images to electronic media in exchange for harvesting the silver from the films.  Raleigh Orthopedic did not execute a business associate agreement with this entity prior to turning over the x-rays and PHI.

In addition to the $750,000 payment, Raleigh Orthopaedic ultimately agreed to revise its policies and procedures to: “establish a process for assessing whether entities are business associates; designate a responsible individual to ensure  business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.”

Raleigh Orthopaedic would have avoided a fine of $750,000, devoting time to a three-year investigation, and the stigma of a Corrective Action Plan if only someone on staff ensured that released PHI was subject to a properly worded business associate agreement. Given that HHS even offers model business associate agreement language there is really no excuse for any covered entity or business associate not to use this simply contractual safeguard — especially given that it is mandated.  Moreover, there really is no excuse for not having a standard process in place that documents the use and maintenance of business associate agreements — even the smallest of practice groups has an office manager who could implement this process.

OCR Privacy and Security Audits Round Two

On the heels of two recently announced settlements that should serve as wake up calls for covered entities, the Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced on March 21, 2016 that it will be conducting “Phase Two” of its audits of covered entities and their business associates.  According to the announcement, such audits “are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.”

This Phase Two will be quite comprehensive in scope — with a not-so-subtle threat to those who ignore the initial data gathering used to determine the “pool” of audit participants.  Specifically, the process begins with verification of an entity’s address and contact information by sending emails to covered entities and business associates with a request that full contact information be provided to OCR in a timely manner.   OCR will then transmit “a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.”

If an entity does not respond to the initial request to verify contact information or the pre-audit questionnaire, OCR will simply use publicly available information about the entity to create its own audit subject pool.  As set forth in the announcement, “an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.”

According to OCR, information gleaned from the audits will be used to “develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.”   Dangling what it considers a carrot to participants, OCR further explains that it will “broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.”

Of significance to this entire audit process is the fact that HHS “is responsible for the on-site auditors.  Neither covered entities nor their business associates are responsible for the costs of the audit program.”    This may actually turn out to be a harbinger of bad things to come for certain covered entities and business associates.  Similar to those “fine-funded” EU Data Protection Agencies such as the Spanish agency that has gone after Google for the past several years, OCR will likely hit hard in order to justify its audit budget.   Ultimately, in the same way a good accountant can mitigate an IRS audit, covered entities and business associates must rely on seasoned counsel as early as possible in the audit process in order to ensure a good learning experience does not morph into a financial hardship.  Simply put, before one of these letters come in the mail, make sure you have your counsel lined up.

Recent HIPAA settlements are wake up calls

On March 16, 2016, the Office for Civil Rights (“OCR”) announced its $1.55 million Resolution Agreement and Corrective Action Plan with North Memorial Health Care of Minnesota.  North Memorial  agreed to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a business associate agreement with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.

OCR initiated its investigation of North Memorial following receipt of a report on September 27, 2011, which indicated that “an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.”

The investigation indicated that North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. OCR further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure – “including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.”

In addition to the $1,550,000 payment, North Memorial is required to develop “an organization-wide risk analysis and risk management plan, as required under the Security Rule.”  North Memorial will also train appropriate workforce members on “all policies and procedures newly developed or revised pursuant to this corrective action plan.”

In by now typical fashion, OCR announced another settlement right after the North Memorial settlement.

On March 17, 2016, the OCR announced its $3.9 million HIPAA settlement with the biomedical research institute, Feinstein Institute for Medical Research.  Feinstein settled potential HIPAA violations by agreeing to undertake a substantial corrective action plan.  OCR’s investigation began after Feinstein filed a report indicating that on September 2, 2012, a laptop computer containing ePHI of approximately 13,000 patients and research participants was stolen from an employee’s car. The ePHI stored in the laptop included “names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications, and medical information relating to potential participation in a research study.”

OCR’s investigation discovered that Feinstein’s security management process was “limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the entity.” Further, Feinstein lacked “policies and procedures for authorizing access to ePHI by its workforce members, failed to implement safeguards to restrict access to unauthorized users, and lacked policies and procedures to govern the receipt and removal of laptops that contained ePHI into and out of its facilities.”

The Feinstein and North Memorial settlements are obvious wake-up calls.

First, OCR apparently has no problem whatsoever finding that research institutions are covered entities even though such organizations may not squarely fit into the provider, health plan or clearinghouse bucket for all their activities.  See 45 C.F.R. § 160.103.   As set forth by the OCR Director Jocelyn Samuels in the press release, “For individuals to trust in the research process and for patients to trust in those institutions, they must have some assurance that their information is kept private and secure.”

Second, it is much preferable to hire legal counsel and spend several thousand dollars on a good business associate agreement and perhaps $20,000 on a comprehensive risk analysis than it is to pay $1.55 million on an OCR settlement.

And finally, train employees on proper handling of laptops and make sure your laptops are encrypted just in case they are ever lost or stolen.  In both cases, the actual trigger leading to these seven figure settlements was a breach report sent to OCR because of a laptop stolen from a car.

OCR: Lost Records of 192 Patients = $1 million

On the heels of the Cignet Health CMP, the OCR has just announced a Resolution Agreement with Massachusetts General that includes a $1 million “resolution amount”.  Under this Resolution Agreement, Mass General is also required to develop and implement “a comprehensive set of policies and procedures to safeguard the privacy of its patients.”

According to the OCR’s Resolution Agreement dated February 14, 2011, the incident giving rise to the agreement involved the loss of protected health information of 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS.   Specifically, the facts (as recited in the Resolution Agreement) are as follows:

On March 6, 2009, an MGH employee removed from the MGH premises documents containing protected health information (“PHI”). The MGH employee removed the PHI from the MGH premises for the purpose of working on the documents from home. The documents consisted of billing encounter forms containing the name, date of birth, medical record number, health insurer and policy number, diagnosis and name of provider of 66 patients and the practice’s daily office schedules for three days containing the names and medical record numbers of 192 patients.

On March 9, 2009, while commuting to work on the subway, the MGH employee removed the documents containing PHI from her bag and placed them on the seat beside her. The documents were not in an envelope and were bound with a rubber band. Upon exiting the train, the MGH employee left the documents on the subway train and they were never recovered.  These documents contained the PHI of 192 individuals.

In other words, HHS has just determined that employee negligence of the most common variety is worth a cool $1 million.   Enough said.

OCR Gets Serious: $4.3 Million Penalty Under Privacy Rule

As shown by yesterday’s press release and this morning’s email blast, OCR is certainly eager to let the world know that it just issued a Notice of Final Determination and Notice of Proposed Determination finding that Cignet Health violated the HIPAA Privacy Rule to the tune of $4.3 million dollars.

According to yesterday’s Associated Press news feed that blanketed the news outlets as well as fed many privacy blogs, Cignet Health “is a Christian-influenced medical service, has four locations in Prince George’s County, in southern Maryland just outside Washington.”   And, according to its website, “[t]he focus of Cignet health center is to minister to the whole person, both spiritually and physically. Our desire is to help the sick and suffering people the best way we can to the glory of God.”   Cignet Health offers health plans in Nigeria as well as Ghana and acts as “a patient-Provider advocacy alternative to other healthcare presently available in the healthcare market today.”

It is unknown whether this apparently small-scale operation is equipped to pay a $4.3 million penalty.  Frankly, it is pretty surprising that such a small healthcare player has the honor of being the very first CE in which HHS has imposed a civil money penalty (CMP) for alleged  violations of the HIPAA Privacy Rule.  As well, this CMP is the first one based on the “violation categories and increased penalty amounts authorized under the Health Information Technology for Economic and Clinical Health (HITECH) Act.”  The HITECH Act has certainly seen noteworthy action given the Connecticut AG’s HITECH Act penalties against Health Net – the first time a state has used the HITECH Act to settle a data breach claim — as well as the enforcement of the HITECH Act’s public disclosure of data breaches.  Cignet Health, however, did not sustain a data breach so the huge penalty is curious to say the least.

What exactly did Cignet Health do?  For starters, it did NOT breach the privacy rights of its patients in any traditional sense.  Unlike with the Health Net breach or the HITECH publications of breaches, this incident involved a more vanilla HIPAA violation.  According to the OCR:

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009.  These patients individually filed complaints with OCR, initiating investigations of each complaint.  The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records.  Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena.  OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010.  On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.  Covered entities are required under law to cooperate with the Department’s investigations.  The CMP for these violations is $3 million.

In other words, Cignet Health failed to give 41 patients copies of their records on a timely basis and then “failed to cooperate with OCR’s investigations” after complaints were filed by these patients.   Although OCR points out in its Notice of Proposed Determination that the boxes provided to OCR by Cignet Health “also contained the medical records of approximately 4,500 individuals for whom OCR made no request or demand and for whom Cignet had no basis for the disclosure of their protected health information to OCR” this inadvertent disclosure was not the basis of the CMP.

This Cignet Health result is in contrast to the non-CMP “resolution amount” of $100,000 issued to Providence Health in 2008 for alleged HIPAA privacy violations involving unprotected backup tapes, optical disks and laptops that compromised the protected health information of more than 386,000 patients.  HHS publicly stated there was no need for a CMP given the level of cooperation given during the investigation.  Providence Health did, however, sustain significant defense costs and a corrective action plan that brought that $100,000 fee into the millions.

The lesson here is that if called upon to respond to an investigation, do it.  Based on the Cignet Health result and public statements made by OCR personnel at various privacy seminars, OCR certainly places a significant premium on what it perceives to be good faith during an investigation.  As well, be ready to smile into the camera because the OCR is obviously launching into an aggressive enforcement campaign in 2011 and beyond.   For example, the OCR email missive of February 23, 2011 includes the following appeal to potential claimants and whistleblowers:

If you believe that a person or organization covered by the Privacy and Security Rules (a “covered entity”) violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR.  For additional information about how to file a complaint, visit OCR’s web page on filing complaints at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

Make no mistake about it:  The OCR is HHS’s enforcement arm and is looking to knock some heads together and make some money for the boss.  And, the tools, i.e., the HITECH Act and accompanying regs, are now in place to make that Supranos moment a reality.